CavalierGPT: The First Comprehensive Infostealers AI Bot - Try Now →

Created by: lindbergh

Date created: 2022-12-16

Last edited: 2022-12-29

Description: Heatmap of instances of ATT&CK techniques for Raccoon Stealer v2 based on recent public CTI reporting (sources in notes for each technique).

Techniques (18)

  • Automated Collection

    ID: T1119

    Tactics: Collection

    Description: Raccoon Stealer v2 scans the disks and automatically collects files. (https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/)

  • Credentials from Web Browsers

    ID: T1555.003

    Tactics: Credential Access

    Description: Raccoon Stealer v2 collects passwords from popular browsers. (https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/)

  • Data from Local System

    ID: T1005

    Tactics: Collection

    Description: Raccoon Stealer v2 collects credentials of cryptocurrency wallets from the local system. (https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/)

  • Deobfuscate/Decode Files or Information

    ID: T1140

    Tactics: Defense Evasion

    Description: Raccoon Stealer v2 decodes strings and the C2 configuration in the malware using RC4 and base64. (https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/)

  • Dynamic-link Library Injection

    ID: T1055.001

    Tactics: Privilege Escalation, Defense Evasion

    Description: Raccoon Stealer v2 has the ability to load DLLs via LoadLibraryW and GetProcAddress. (https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/)

  • Exfiltration Over C2 Channel

    ID: T1041

    Tactics: Exfiltration

    Description: Raccoon Stealer v2 exfiltrates data over the C2 channel. (https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/)

  • File and Directory Discovery

    ID: T1083

    Tactics: Discovery

    Description: Raccoon Stealer v2 lists files and directories to grab files through all disks. (https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/)

  • Ingress Tool Transfer

    ID: T1105

    Tactics: Command and Control

    Description: Raccoon Stealer v2 downloads legitimate third-party DLLs for data collection onto compromised hosts. (https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/)

  • Native API

    ID: T1106

    Tactics: Execution

    Description: Raccoon Stealer v2 has the ability to launch files using ShellExecuteW. (https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/)

  • Obfuscated Files or Information

    ID: T1027

    Tactics: Defense Evasion

    Description: Raccoon Stealer v2 uses RC4-encrypted strings.  (https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/)

  • Process Discovery

    ID: T1057

    Tactics: Discovery

    Description: Raccoon Stealer v2 lists the current running processes on the system. (https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/)

  • Query Registry

    ID: T1012

    Tactics: Discovery

    Description: Raccoon Stealer v2 queries the Windows Registry key at HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid to retrieve the MachineGuid value. (https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/)

  • Screen Capture

    ID: T1113

    Tactics: Collection

    Description: Raccoon Stealer v2 captures a screenshot of the victim’s desktop. (https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/)

  • Software Discovery

    ID: T1518

    Tactics: Discovery

    Description: Raccoon Stealer v2 lists all installed software for the infected machine, by querying the Windows Registry key at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\uninstall (https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/)

  • Steal Web Session Cookie

    ID: T1539

    Tactics: Credential Access

    Description: Raccoon Stealer v2 harvests cookies from popular browsers. (https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/)

  • System Information Discovery

    ID: T1082

    Tactics: Discovery

    Description: Raccoon Stealer v2 collects OS version, host architecture, CPU information, RAM capacity and display device information. (https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/)

  • System Location Discovery

    ID: T1614

    Tactics: Discovery

    Description: Raccoon Stealer v2 collects the time zone information from the system. (https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/)

  • Web Protocols

    ID: T1071.001

    Tactics: Command and Control

    Description: Raccoon Stealer v2 uses HTTP for C2 communications. (https://blog.sekoia.io/raccoon-stealer-v2-part-1-the-return-of-the-dead/)

infostealers-logo

BE THE FIRST TO KNOW

Get FREE access to Cavalier GPT

Stay informed with the latest insights in our Infostealers weekly report.

Receive a notification if your email is involved in an Infostealer infection.

No Spam, We Promise

BE THE FIRST TO KNOW

Get FREE access to Cavalier GPT

Stay informed with the latest insights in our Infostealers weekly report.

Receive a notification if your email is involved in an Infostealer infection.

No Spam, We Promise